$NetBSD: patch-CVE-2022-48303,v 1.1 2023/03/26 09:18:48 spz Exp $

fix for CVE-2022-48303
from git.savannah.gnu.org commit 3da78400eafcccb97e2f2fd4b227ea40d794ede8

--- src/list.c.orig	2021-02-04 14:00:33.000000000 +0000
+++ src/list.c
@@ -874,8 +874,9 @@ from_header (char const *where0, size_t 
 	  where++;
 	}
     }
-  else if (*where == '\200' /* positive base-256 */
-	   || *where == '\377' /* negative base-256 */)
+  else if (where <= lim - 2
+	  && (*where == '\200' /* positive base-256 */
+	      || *where == '\377' /* negative base-256 */))
     {
       /* Parse base-256 output.  A nonnegative number N is
 	 represented as (256**DIGS)/2 + N; a negative number -N is
